Vulnerability Development mailing list archives
Re: cached logon credentials
From: despot <despot () CROSSWINDS NET>
Date: Sat, 6 Jan 2001 13:57:16 -0800
Hmmm...
i'm curious about nt's cached logon credentials. i've got a copy of a registry and in it are keys HKLM\Security\Cache\NL$1 thru \ NL$10 which ms kb article q199071 indicates as being the cached logon credentials. is this data already in a format that can be run through a passwd cracker like l0pht? if not are there any ideas on how to convert it? a quick conversion to ascii shows what looks like account names.
HKLM\SECURITY\Policy\Secrets There are many credentials cached here...password hashes of the last 10 users to login to the machine (for your cracking pleasure)...plaintext computer account, service account, etc. passwords (keep on converting). lsadump (lsadump2) is a nice tool that dumps local security authority secrets info from the reg.
i was also looking at another registry for an nt4 workstation sp6 that i have used cached credentials to logon with and i don't see the HKLM\Security\Cache key. where then are the cached logon credentials stored?
Should still be there... HKLM\SECURITY\Policy\Secrets SP6 and a post-SP5 hotfix added syskey encryption to secrets. If you have Admin access to the machine that reg belongs to (simple given physical access), run lsadump2. It pulls out interesting LSA info and bypasss any syskey encryption. This tool (along with many other tools and interesting papers) can be found at razor.bindview.com. -Andrew
Current thread:
- cached logon credentials David J Laumann (Jan 05)
- <Possible follow-ups>
- Re: cached logon credentials despot (Jan 06)